Copyright © 2015 CyberSecurity Malaysia Copyright © 2015 CyberSecurity Malaysia

������

CHALLENGES IN SUSTAINING A COMPUTER EMERGENCY RESPONSE TEAM: MALAYSIA CERT EXPERIENCE

SHARIFAH ROZIAH MOHD KASSIM

MYCERT CYBERSECURITY MALAYSIA

Copyright © 2015 CyberSecurity Malaysia

Agenda

•  Brief Introduction About MyCERT •  Our Services and Achievements •  Challenges in Sustaining our Team •  Lessons Learnt •  Areas of Improvement •  Conclusion •  Q&A

2

Copyright © 2015 CyberSecurity Malaysia

Brief Introduction to MyCERT

Launched in 1997 as a technical reference centre in Malaysia

Parked and funded under the Ministry of Science, Innovation & Technology, to provide Incident Response for the general public and organizations in Malaysia

Operating with 18 staff with two main services, Incident Response(Reactive) and Malware Research (Pro-active)

Audience: Malaysian Internet User

International Affiliation: Deputy Chair of APCERT, Permanent Secretariat of OICCERT. A member of FIRST – active in FIRST Membership sponsor.

Copyright © 2015 CyberSecurity Malaysia

Services

Reactive Proactive

1.  Incident Response and Handling

2.  Security Operation Centre (SOC)

3.  Security Advisory & Alerts 4.  Cyber Security Crisis

1.  Watch and Warn / Threat Monitoring

2.  Applied Research 3.  Tools development 4.  Malware Analysis 5.  Security Advisory & Alerts

Copyright © 2015 CyberSecurity Malaysia

Incident  Repor-ng  Channels    §  Email  

o  cyber999@cybersecurity.my  §  Phone/Hotline  

o  +603  8992  6888  o  1  300  88  2999  

§  Fax  o  +603  8945  3442  

§  SMS  o  15888  “Cyber999  Report”  

§  Mobile  (24x7)  o  +6019  266  5850  

§  Online  –  hSp://www.mycert.org.my  §  Walk  In  -­‐  Office  Hours:  MYT  0900  –  1800  §  Mobile  applica-on  (iOS  and  Android)       5

Copyright © 2015 CyberSecurity Malaysia 6

115 342 728 503 920 739 911 915 835 1732

1038 2123

3564

8090

15218

9986 10636

11918

8172

0

2000

4000

6000

8000

10000

12000

14000

16000

Incidents  Handled  by  MyCERT  (1997  –  2015)  

Increasing…    

Copyright © 2015 CyberSecurity Malaysia

Incidents Handled by Category (2014)

7  

hSp://www.mycert.org.my/sta-s-cs/2014.php  

Fraud – phishing, online scam, 419 scam, purchase,

impersonation, spoofing

Copyright © 2015 CyberSecurity Malaysia

Incidents Handled by Category (2015)

JAN FEB MAR APR MAY JUN JUL AUG SEP TOTAL

Content Related 2 3 3 3 0 4 6 3 1 25

Cyber Harassment 30 40 32 51 30 45 42 32 24 326

Denial of Service 1 2 2 5 3 3 5 7 2 30

Fraud 276 235 232 313 303 388 253 252 247 2499

Intrusion 88 508 29 63 21 20 85 233 206 1253

Intrusion Attempt 28 22 21 21 10 6 13 8 13 142

Malicious Codes 21 30 26 26 35 51 43 39 220 491

Spam 389 430 455 434 348 850 338 88 58 3390

Vulnerabilities Report 1 1 2 2 4 0 1 3 2 16

836 1271 802 918 754 1367 786 665 773 8172

hSp://www.mycert.org.my/sta-s-cs/2015.php  

Fraud – phishing, online scam, 419 scam, purchase,

impersonation, spoofing

Copyright © 2015 CyberSecurity Malaysia 9  

Local News Coverage On MyCERT

Copyright © 2015 CyberSecurity Malaysia 10

What we have seen in year 2014

Jan     Feb   Mar   April     May   Jun     July   Aug   Sept   Oct   Nov   Dec  

HeartBleed  Vulnerabili-es  

ShellShock  Vulnerabili-es  

Banker  Malware  

Android  Malware  –  Premium  SMS  

Mass  Web  Defacement  Incident  

Hoax  Message/Malware  ASack  MH370  Planes  missing  

Spear  Phishing  ASack  related  to  MH370  

Malware  aSack  on  MH17  tragedy  

DDOS  ASack  towards  FI  

‘Is  this  your  photo’  SMS  Malware  

Copyright © 2015 CyberSecurity Malaysia

Malware Research Centre (MRC)

11

Emerging  Threats  

LebahNet  Project  

Malware  Research  

Threats  VisualizaKon  

Advisory  &  Alerts    

EXPLOIT

MRC Projects/Activities Advisories and Alerts

§  Software vulnerabilities (Advisories)

•  0-day vulnerabilities (Java, PDF)

•  Patch / Upgrade

•  Security  update  for  Firefox

§  Outbreaks 2015 (Alerts)

•  Circula-on  of  Emails  ASached  with  Malicious  Document    

•  ASack  to  .my  domains    

11

Copyright © 2015 CyberSecurity Malaysia

Advisory  and  Alerts    

12

hSps://www.mycert.org.my/en/services/advisories/mycert/2015/main/index.html  

Advisories  and  Alerts    

Copyright © 2015 CyberSecurity Malaysia

Honeynet - LebahNet

IP Distribution Uniq Binaries

Malware Analysis

Attack sources

LebahNet  13

Copyright © 2015 CyberSecurity Malaysia

Malware Distribution Sensor

Malware  Research  

14

Copyright © 2015 CyberSecurity Malaysia

Challenges in Sustaining a CERT

15

Stakeholder  Buy-­‐In  

Coopera-on  from    Various  

Par-es  

Staffing  and  Skills  &  Exper-se  

Budget   Quality  of  service  

Change  in  Nature  of  Incident  

Copyright © 2015 CyberSecurity Malaysia

Stakeholders  Buy-­‐In  

Challenge to convince the roles of CERTS and its capabilities to a constituency

Stakeholder looks into investment that brings return (ROI). CERTs are non-profit organization.

Must achieve targeted Key Performance Indicators

Copyright © 2015 CyberSecurity Malaysia

Cooperation from Various Parties: Local & International

1) Cooperation from Law Enforcement Agencies

2) Cooperation from Service Providers, 3) CERT to CERT cooperation 4) Cross border issues: Language, Culture, Law.            

Copyright © 2015 CyberSecurity Malaysia

Staffing,  Skills  and  ExperKse  

Insufficient staff to meet the growing needs and demands  

Developing/maintaining  skills  and  exper-se    

Reduce  staff  turn  over  –  improve  staff  benefits  

Copyright © 2015 CyberSecurity Malaysia 19

Advantages

Budget  

Not-self funded

Depends on

Economic

May need to start charge service

Affect Resources

and operations

Budget  

Copyright © 2015 CyberSecurity Malaysia

Quality of Service

1) Consistency & improvement to the quality of current service

2) Introduce more new value-add service for public 3) Customer satisfaction should be a priority 4) Develop new tools to support the operation 5) Incident resolution rate            

Copyright © 2015 CyberSecurity Malaysia

Nature of Incidents Change

1) Technical vs Non-technical Incidents

2) Challenge to respond to non-technical incidents 3) Victims are aggressive 4) Escalation to Law Enforcement Agencies – incidents sometimes become less priority for Law Enforcement.        

Copyright © 2015 CyberSecurity Malaysia

Areas of Improvement for CERTS

Stakeholders buy-in

Understanding the constituency and its needs  

Resources  with  necessary  skills  and  exper-se  

Effec-ve  Communica-on  with  all  par-es  

Efficient  Opera-ons  and  services  

Copyright © 2015 CyberSecurity Malaysia

Lessons Learnt •  Communication is essential. Need to communicate well on issue faced

by the CERT with relevant parties & communication on operational matters.

•  Need to ensure the CERTs direction is well understood by all parties in the constituency to avoid misconception on CERT’s roles.

•  Selecting right resources with the right skillsets. Always have business contingency plan to address staff turn over issue.

•  CERTs need to come up with their own new ideas and solutions to

overcome problems and issues related to budget. •  Issues and problems in CERT must not affect the CERTs main

functions.

 

           

Copyright © 2015 CyberSecurity Malaysia

Conclusion

           

•  MyCERT’s  presence  is  needed  in  our  cons-tuency  to  address  the  ever  growing  cyber  incidents.  

•  Good  coopera-on  and  collabora-on  with  the  APCERT,  OIC  CERT,  South  East  Asia  countries  CERTs  and  FIRST  community  has  further  improved  our  visibility  in  the  global.  

 •  However,  there  are  s-ll  many  improvements  

need  to  be  made  in  order  to  sustain  our  con-nuity  and  our  visibility.  

•  Need  to  immediately  address  challenges  and  issues  by  coming  up  with  effec-ve  solu-ons  

   

Copyright © 2015 CyberSecurity Malaysia 25

Copyright © 2015 CyberSecurity Malaysia Copyright © 2015 CyberSecurity Malaysia 26